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DETAILED ACTION 

• Applicant's amendment filed on 1/13/2010 has been entered. Applicant has amended 
claims 1, 3-9, 19, 21-24, 32, 34-36, 39 and 42. Currently claims 1-44 are pending in this 
application. 

Response to Arguments 

Applicant's arguments with respect to claims 1,21, 34, 35 and 36 have been considered 
but are moot in view of the new ground(s) of rejection. 



Claim Rejections - 35 USC § 103 

1 . The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all obviousness 
rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill In the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

Claims 36-44 are rejected under 35 U.S.C. 103(a) as being unpatentable over Russell et 
al. (WO 01/77783 A2). hereinafter. "Russell" in view of Lanqford et al. (US 6.266.420 B1). 
hereinafter. "Lanqford". 

Regarding Claim 36, Russell discloses an access control system that restricts access to 
a secure item (see, Fig. 1), said system comprising: 

a central server having a server module that provides overall access control (see, page 
16, lines 18-23); and 
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a plurality of local servers, each of said servers Including a local module that provides 
local access control (see. Page 24, lines 14-22), 

wherein the access control, performed by said central server or said local servers, 
operates to permit or deny access requests to secured items by requestors (see. Page 16, lines 
18-23), and 

permitted to access the secure item through one or more of said local servers, is only 
able to access the secure item using only a single one of said local servers or the central server 
such that the given requestor is only permitted to access the secure item through at most one of 
said local servers at a time (see. Page 24, 14-22). 

Russell discloses controlling access to a secure file. Russell does not explicitly discloses 
retrieving at the first server machine, a user key permitting access to an individual encrypted 
sub-header of the secure item and wherein the individually encrypted sub-header is selected for 
decryption by the given requestor from a group of one or more additional individually encrypted 
sub-headers corresponding to other requestors or groups to which the other requestors belong 
based on correspondence of the individually encrypted sub-header to an identifier for the given 
requestor or to a group to which the requestor belongs. 

Langford discloses individually encrypted sub-headers and wherein the individually 
encrypted sub-header (see, Fig. 1, each of the wrapped keys in the header) is selected for 
decryption by the given requestor from a group of one or more additional individually encrypted 
sub-headers corresponding to other requestors or groups to which the other requestors belong 
based on correspondence of the individually encrypted sub-header to an identifier for the given 
requestor or to a group to which the requestor belongs (see. Fig. 2, and also Column 1 , lines 39- 
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53, "The receiving party locates his copy of the wrapped l<ey by the l<ey identifier in the header. 
The recipient can then decrypt the symmetric key using his private l<ey."). 

Therefore, it would have been obvious at the time invention was made to a person of 
ordinary skill in the art to place file key of Russell into encrypted sub-headers as taught by 
Langford because "In this way, multiple recipients can each locate their wrapped copy of the 
symmetric key, unwrap the key, and then use the symmetric key to decrypt the message", (see, 
Langford, Column 1, lines 39-53). 

Regarding Claim 37, the rejection of claim 36 is incorporated and the combination of 
Russell and Langford further discloses wherein said access control system couples to an 
enterprise network to restrict access to the secure item, which comprises a secured file, stored 
therein (see Russell, Fig. 3). 

Regarding Claim 38, the rejection of claim 37 is incorporated and the combination of 
Russell and Langford further discloses wherein the access requests are at least primarily 
processed in a distributed manner by said local servers (see, Russell, Page 24, lines 14-22). 

Regarding Claim 39, the rejection of claim 38 is incorporated and the combination of 
Russell and Langford further discloses wherein the requestors gain access to the secured files 
without having to access said central server based on processing of the access requests by said 
local servers (see, Russell, Page 24, lines 14-22). 

Regarding Claim 40, the rejection of claim 37 is incorporated and the combination of 
Russell and Langford further discloses wherein the local module is a copy of the server module 
so any of the local modules can operate independent operate independently of said central 
server and other of said local servers (see. Page 23, lines 19-22). 
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Regarding Claim 41, the rejection of claim 37 is incorporated and the combination of 
Russell and Langford further discloses wherein the local module is a subset of the server 
module (see, Russell, Page 18, lines 15-17). 

Regarding Claim 42, the rejection of claim 42 is incorporated and the combination of 
Russell and Langford further discloses wherein access permissions for said local servers is 
dynamically configured to pass a requestor from one of said local servers to another of said 
local servers, thereby enabling access control to be performed by the another of said local 
servers such as a change of the location of the requestor (see. Page 20, lines 16-31). 

Regarding Claim 43, the rejection of claim 37 is incorporated and the combination of 
Russell and Langford further discloses wherein the secured files are secured by encryption of 
the secure item (see. Page 9, lines 6-7). 

Regarding Claim 44, the rejection of claim 37 is incorporated and the combination of 
Russell and Langford further discloses wherein the secure item are secured by encryption (see, 
page 9, lines 6-7). 

Claims 1-19, 21-32 and 34-35 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Russell in view of Langford and further in view of Richards et al. (US 
2002/0016922 AD. hereinafter. "Richards". 

Regarding Claims 1 and 34, Russell discloses method and corresponding computer 
program for providing access management through use of a plurality of server machines 
associated with different locations (see. Fig. 1), said method comprising: 
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receiving, at a first server macliine of tlie plurality of server machines, an access request 
to access a secure item from a first client machine at a first location (see, page 24, lines 2-7); 

authenticating a user of the first client machine at the first location (see, Page 1 1 , lines 
30-31); 

authenticating the first client machine (See, Page 25, lines 6-14); 

retrieving at the first server machine access rules for the secured item based on the 
success of said authentication of the user and authenticating of the first client machine (see, 
Page 25, lines 23-30); 

permitting access to the secure item via the first location based on success of said 
authenticating of the user and authenticating of the first client machine and further based on 
allowability by the access rules (see, page 1 1 , lines 30-31 , Page 25, lines 6-14 and Page 26, 
lines 3-13); 

permitting access to the secure item via the first server machine based on said permitting 
access to the secure system via the first location permitting the user to gain access to the 
secure item from the first location (see, page 1 1 , lines 30-31 , Page 25, lines 6-14 and Page 26, 
lines 3-13); and 

preventing access to the secure item via the first server machine based on said 
permitting access to the secure system via the first location not permitting the user to gain 
access to the secure item from the first location (see Page 26, lines 7-9). 

Russell discloses encrypting secure content to be delivered however, Russell does not 
explicitly teach retrieving at the first server machine a user key permitting access to an 
individually encrypted sub-header of the secured item and the sub-header selected, from a 
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group of individually encrypted sub-headers corresponding to other user or groups, based on 
the sub-header's correspondence to other users or groups to the user or to a group to which the 
user belongs based on an identifier. 

Langford discloses retrieving at the first server machine, a user key permitting access to 
an individual encrypted sub-header of the secure item (see. Fig. 2, and also Column 1, lines 39- 
53, public key of the key pair), the sub-header selected, from a group of individually encrypted 
sub-headers corresponding to other user or groups (see. Fig. 1 , each of the wrapped keys in the 
header), based on the sub-header's correspondence to other users or groups to which the user 
belongs based on an identifier (see, Fig. 2, and also Column 1, lines 39-53, "The receiving party 
locates his copy of the wrapped key by the key identifier in the header. The recipient can then 
decrypt the symmetric key using his private key."). 

Therefore, it would have been obvious at the time invention was made to a person of 
ordinary skill in the art to place file key of Russell into encrypted sub-headers as taught by 
Langford because "In this way, multiple recipients can each locate their wrapped copy of the 
symmetric key, unwrap the key, and then use the symmetric key to decrypt the message", (see, 
Langford, Column 1, lines 39-53) 

The combination of Russell and Langford discloses individually encrypted sub-headers 
but does not explicitly teach that the individually encrypted sub-header including access rules for 
the secured item and. 

However, Richards discloses a system where a given requester is permitted to access a 
secure item based on access rules stored in an encrypted header of a secure item (see. Fig. 4 
and Paragraphs 0066-0068). 
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Therefore, it would have been obvious at the time invention was made to a person of 
ordinary skill in the art to place access information of the combination of Russell and Langford 
into encrypted sub-header of secure item as taught by Richards because "all encoded header 
data, database, and any other data are encoded as a single data file or stream being singular in 
type, the data may be checked by the application before opening via the various embedded 
hash elements. Accordingly, the security and integrity of the data is further maintained, firewall 
requirements are simplified, and the potential of firewall penetration is reduced" (see. Paragraph 
0073). 

Regarding Claim 21 and 35, Russell discloses method and corresponding computer 
program for providing access management through use of a distributed network of server 
machines (see. Fig. 1), said method comprising: 

receiving, at a first server machine of the plurality of server machines, an access request 
to access a secure item from a first client machine (see, page 24, lines 2-7); 

authenticating a user of the client machine (see. Page 1 1 , lines 30-31 ); 

authenticating the first client machine (See, Page 25, lines 6-14); 

upon successfully authenticating the user and authenticating the first client machine, 
retrieving access rules for the secure item (see. Page 25, lines 23-30); 

retrieving access privileges associated with the user (see, Page 25, lines 23-30); 

determining whether the user is permitted to gain access to the secure item via the first 
server machine based on success of said authentication the user and said authenticating the 
first client machine and further based on allowability by the access privileges and access rules 
(see, page 11, lines 30-31, Page 25, lines 6-14 and Page 26, lines 3-13); 
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permitting access to the secure item via the first server machine based on said 
determining whether the user is permitted to gain access to the secure item via the first server 
machine determining that the user is permitted to gain access to the secure item via the first 
server machine (see, page 11, lines 30-31, Page 25, lines 6-14 and Page 26, lines 3-13); and 

preventing access to the secure item via the first server machine when said determining 
whether the user is permitted to gain access to the secure item via the first sever machine 
determines that the user is not permitted to gain access to the secure item via the first server 
machine (see Page 26, lines 7-9). 

Russell discloses encrypting secure content to be delivered however, Russell does not 
explicitly teach retrieving at the first server machine a user key permitting access to an 
individually encrypted sub-header of the secured item and the sub-header selected, from a 
group of individually encrypted sub-headers corresponding to other user or groups, based on 
the sub-header's correspondence to other users or groups to the user or to a group to which the 
user belongs based on an identifier. 

Langford discloses retrieving at the first server machine, a user key permitting access to 
an individual encrypted sub-header of the secure item (see. Fig. 2, and also Column 1, lines 39- 
53, public key of the key pair), the sub-header selected, from a group of individually encrypted 
sub-headers corresponding to other user or groups (see, Fig. 1 , each of the wrapped keys in the 
header), based on the sub-header's correspondence to other users or groups to which the user 
belongs based on an identifier (see. Fig. 2, and also Column 1, lines 39-53, "The receiving party 
locates his copy of the wrapped key by the key identifier in the header. The recipient can then 
decrypt the symmetric key using his private key."). 
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Therefore, it would liave been obvious at the time invention was made to a person of 
ordinary skill in the art to place file key of Russell into encrypted sub-headers as taught by 
Langford because "In this way, multiple recipients can each locate their wrapped copy of the 
symmetric key, unwrap the key, and then use the symmetric key to decrypt the message", (see, 
Langford, Column 1, lines 39-53) 

The combination of Russell and Langford discloses individually encrypted sub-headers 
but does not explicitly teach that the individually encrypted sub-header including access rules for 
the secured item and. 

However, Richards discloses a system where a given requester is permitted to access a 
secure item based on access rules stored in an encrypted header of a secure item (see, Fig. 4 
and Paragraphs 0066-0068). 

Therefore, it would have been obvious at the time invention was made to a person of 
ordinary skill in the art to place access information of the combination of Russell and Langford 
into encrypted sub-header of secure item as taught by Richards because "all encoded header 
data, database, and any other data are encoded as a single data file or stream being singular in 
type, the data may be checked by the application before opening via the various embedded 
hash elements. Accordingly, the security and integrity of the data is further maintained, firewall 
requirements are simplified, and the potential of firewall penetration is reduced" (see. Paragraph 
0073). 

Regarding Claim 2, the rejection of claim 1 is incorporated and the combination of 
Russell, Langford and Richards further discloses wherein said determining permitting access to 
the secure system via the first location comprises: obtaining access privileges associated with 



Application/Control Number: 1 0/075,1 94 Page 1 1 

Art Unit: 2435 

the user to determine at least one or more permitted locations for the user; and determining 
whether the user is permitted to gain access to the secure item from the first location based on 
the permitted locations associated with the user (see Russell, page 1 1 , lines 30-31 , Page 25, 
lines 6-14 and Page 26, lines 3-13). 

Regarding Claim 3, the rejection of claim 1 is incorporated and the combination of 
Russell, Langford and Richards further discloses wherein permission by said permitting access 
to the secure system via the first location further comprises allowing access to the secure item 
from the first location via the first client machine and the first server machine (see Russell, page 
11, lines 30-31, Page 25, lines 6-14 and Page 26, lines 3-13). 

Regarding Claim 4, the rejection of claim 1 is incorporated and the combination of 
Russell, Langford and Richards further discloses wherein permission by said permitting access 
to the secure item via the first server machine further comprises allowing access to the secure 
item from the first location via the first client machine and the first server machine (see Russell, 
page 11, lines 30-31, Page 25, lines 6-14 and Page 26, lines 3-13). 

Regarding Claims 5 and 22, the rejections of claims 1 and 21 are incorporated and the 
combination of Russell, Langford and Richards further discloses preventing access to the 
secure item via any of the server machines other than the first server machine based on 
permitting access to the secure item via the first server machine permitting the user to gain 
access to the secure item from the first location (see Russell, Page 29, lines 1-4). 

Regarding Claims 6 and 23, the rejection of claims 1 and 21 are incorporated and the 
combination of Russell, Langford and Richards further discloses wherein said permitting access 
to the secure system via the first location comprises determining whether the user is permitted 
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to gain access to the secure item via tlie first client macliine and tlie first server machine, and 
wherein said permitting access to the secure item via the first server machine operates to permit 
the user to gain access to the secure item via the first client machine and the first server 
machine based on said permitting access to the secure system via the first location determining 

that the user is permitted to gain access to the secure item via both the first client machine and 
the first server machine (see Russell, page 11, lines 30-31, Page 25, lines 6-14 and Page 26, 
lines 3-13). 

Regarding Claim 24, the rejections of claim 23 is incorporated and the combination of 
Russell, Langford and Richards further discloses preventing access to the secure item via any 
of the server machines other than the first server machine when said determining whether the 
user is permitted to gain access to the secure item via the first server machine determines that 
the user is permitted to gain access to the secure item from the first location (see Page 29, lines 
1-4). 

Regarding Claim 7, the rejection of claim 1 is incorporated and the combination of 
Russell, Langford and Richards further discloses wherein said permitting access to the secure 
system via the first location comprises determining whether the user is permitted to gain access 
to the secure Item via the first server machine, and wherein said permitting access to the secure 
Item via the first server machine operates to permit the user to gain access to the secure Item 
via the first server machine based on said permitting access to the secure system via the first 
location determining that the user is permitted to gain access to the secure item via the first 
server machine (see Russell, page 11, lines 30-31, Page 25, lines 6-14 and Page 26, lines 3- 
13). 
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Regarding Claim 8, the rejection of claim 1 is incorporated and the combination of 
Russell, Langford and Richards further discloses wherein said permitting access to the secure 
system via the first location comprises determining whether the user is permitted to gain access 
to the secure item via the first client machine, and wherein said permitting access to the secure 
item via the first server machine operates to permit the user to gain access to the secure item 
via the first client machine based on said permitting access to the secure system via the first 
location determining that the user is permitted to gain access to the secure item via the first 
client machine (see Russell, page 11, lines 30-31, Page 25, lines 6-14 and Page 26, lines 3-13). 

Regarding Claim 9, the rejection of claim 1 is incorporated and the combination of 
Russell, Langford and Richards further discloses preventing the user from gaining access to the 
secure item via any of the server machines other than the first server machine based on said 
permitting access to the secure system via the first location determining that the user is 
permitted to gain access to the secure item from the first location (see Page 29, lines 1-4). 

Regarding Claims 10 and 25, rejections of claims 9 and 24 are incorporated and the 
combination of Russell, Langford and Richards further discloses 

wherein said preventing the user from gaining access to the secure item via any of the 
server machines other than the first server machine comprises reconfiguring at least one of the 
server machines that previously permitted the user to gain access to the secure item 
therethrough (see, Russell, Page 25, line 22- Page 26, line 2). 

Regarding Claims 11 and 26, the rejections of claims 10 and 25 are incorporated and 
the combination of Russell, Langford and Richards further discloses said permitting access to 
the secure item via the first server machine comprises reconfiguring the first server machine to 
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permit access by the user to the secure item via the first server machine (see, Russell, Page 24, 
lines 14-22). 

Regarding Claim 12, the rejection of claim 13 is incorporated and the combination of 
Russell, Langford and Richards further discloses wherein said permitting access to the secure 
system via the first location comprises: obtaining access privileges associated with the user to 
determine at least one or more permitted locations for the user (see, Russell, Page 25, lines 11- 
14); and determining whether the user is permitted to gain access to the secure item from the 
first location based on the permitted locations associated with the user (see, Russell, Page 25, 
lines 11-14). 

Regarding Claims 13 and 27, rejections of claims 1 and 21 are incorporated and the 
combination of Russell, Langford and Richards further discloses wherein said permitting access 
to the secure item via the first server machine comprises reconfiguring the first server machine 
to permit access by the user to the secure item via the first server machine (see, Russell, Page 
24, lines 14-22). 

Regarding Claims 14 and 28, rejections of claims 13 and 21 are incorporated and the 
combination of Russell, Langford and Richards further discloses wherein the secure item is a 
secured file, the secured file having a format that comprises a header including security 
information as to who and how access to the secure item is permitted (see, Richards, Fig. 4 and 
Paragraphs 0066-0068); an encrypted data portion including data of the secured file encrypted 
with a file key according to a predetermined cipher scheme, and wherein the header is attached 
to the encrypted data portion to generate the secured file (see, Langford, Fig. 1). 
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Regarding Claims 15 and 29, rejections of claims 14 and 28 are incorporated and the 
combination of Russell, Langford and Richards further discloses wherein the security 
information in the header of the secured file facilitates the restricted access to the secured file 
(see, Richards, Fig. 4 and Paragraphs 0066-0068). 

Regarding Claim 16, the rejection of claim 15 is incorporated and the combination of 
Russell, Langford and Richards further discloses wherein the security information in the header 
of the secured file points to or includes the access rules and a file key (see, Langford, Fig. 1 as 
combined with Richards, Fig. 4 and Paragraphs 0066-0068). 

Regarding Claims 17 and 30, rejection of claims 14, and 28 are incorporated and the 
combination of Russell, Langford and Richards further discloses wherein the security 
information is encrypted with a user key associated with the user (see, Langford, Fig. 1). 

Regarding Claims 18 and 31, rejections of claims 14 and 28 are incorporated and the 
combination of Russell, Langford and Richards further discloses wherein the security 
information includes the file key and access rules to the restricted access to the secured file 
(see, Langford, Fig. 1 as combined with Richards, Fig. 4 and Paragraphs 0066-0068). 

Regarding Claims 19 and 32, rejections of claims 18 and 28 are incorporated and the 
combination of Russell, Langford and Richards further discloses wherein the file key is retrieved 
to decrypt the encrypted data portion in the secured file based on access privilege of the user 
being within access permissions by the access rules (see, Langford, Fig. 1 as combined with 
Richards, Fig. 4 and Paragraphs 0066-0068). 
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Claims 20 and 33 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Russell in view of Langford and Richards and furtlier in view of Brown et al. (US 2003/0050919 
AD. hereinafter "Brown". 

Regarding Claims 20 and 33, rejections of claims 18 and 31 are incorporated and the 
combination of Russell, Langford and Richards does not explicitly disclose access rules 
expressed in a markup language. 

However, Brown discloses access rules expressed in a markup language (see. Fig. 5A 
and Paragraph 0052). 

Therefore, it would have been obvious at the time invention was made to a person of 
ordinary skill in the art to express the access rules of the combined system of Russell, Langford 
and Richards in a markup language as taught by Brown because XML is a text-based and 
platform independent markup language, as a result distributor server would be able to enforce 
and distribute the content with policies to all client having any type of operating system platform. 

Conclusion 

Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant 
is reminded of the extension of time policy as set forth in 37 CFR 1 .1 36(a). 

A shortened statutory period for reply to this final action is set to expire THREE MONTHS 
from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the 
mailing date of this final action and the advisory action is not mailed until after the end of the 
THREE-MONTH shortened statutory period, then the shortened statutory period will expire on 
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the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1 .136(a) will 
be calculated from the mailing date of the advisory action. In no event, however, will the 
statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to YOGESH PALIWAL whose telephone number is (571)270-1807. The 
examiner can normally be reached on M-F 9:00 - 5:00 EST. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu can be reached on 5712723859. The fax phone number for the organization 
where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you 
would like assistance from a USPTO Customer Service Representative or access to the 
automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Y. P./ 

Examiner, Art Unit 2435 
/Kimyen Vu/ 

Supervisory Patent Examiner, Art Unit 2435 



